The following webinar, "Training: What is Available at No Cost" was delivered on October 11, 2017, and is the second in the 2017 fall series of Cybersecurity webinars presented by Frosty Walker, Chief Information Security Officer at the Texas Education Agency. The presentation slides are available for download.

The "Guidelines for Cybersecurity Documentation" training was presented on November 8, 2017. The presentation slides are available for download.

Upcoming Cybersecurity Webinars

TEA would like to inform school districts and open-enrollment charter schools of an upcoming opportunity to participate in a series of webinars being conducted by TEA. The webinars will be led by TEA's Chief Information Security Officer, Frosty Walker, in collaboration with the Data Security Advisory Committee (DSAC) to provide insight regarding the resources available at the Cyber Security Tips and Tools section of the Texas Gateway portal.

The March 7th webinar provides information needed for a successful Cybersecurity/Privacy Awareness program, and why a Security/Privacy Awareness program is key in protecting student, parent, and staff information.

Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to attend.

The May 9th webinar provides information regarding Data Privacy Agreements, and what needs to be included in your agreements with vendors and third parties to help you protect student, parent, and staff information.

Representatives interested in information security issues and resources, which can be utilized within the education communities, are encouraged to attend.

Cyber Advisory: New Type of Cyber Extortion/Threat Attack

Summary

Schools have long been targets for cyber thieves and criminals. We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records. In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

These attacks are being actively investigated by the FBI, and it is important to note that none of the threats of violence have thus far been judged to be credible. At least three states have been affected.

How to Protect Yourself
The attackers are likely targeting districts with weak data security, or well-known vulnerabilities that enable the attackers to gain access to sensitive data. This may be in the form of electronic attacks against school/district computers or applications, malicious software, or even through phishing attacks against staff or employees.

IT Staff at Schools/Districts are encouraged to protect your organizations by

ensuring proper audit logs are created and reviewed routinely for suspicious activity;

training staff and students on data security best practices and phishing/social engineering awareness; and

reviewing all sensitive data to verify that outside access is appropriately limited.

What to Do if This Happens to You
If your organization is affected by this type of attack, it is important to contact local law enforcement immediately. It's not mandatory, but if you are an affected K12 school, please contact us at privacyTA@ed.gov so that we can monitor the spread of this threat. Additionally, the Privacy Technical Assistance Center (PTAC) website contains a wealth of information that may be helpful in responding to and recovering from cyber attacks.

While this new threat has thus far been directed only to K12, institutions of higher education should know that they are required to notify the Office of Federal Student Aid (FSA) of data breaches via email pursuant to the GLBA Act, and your Title IV participation and SAIG agreements. Additional proactive tools for institutions of higher education are available at our Cybersecurity page on ifap.ed.gov.

Data Breach or PII Exposure Exercises

The following two exercises ask you to consider the appropriate actions to take in the event of a data breach or personally identifiable information (PII) exposure. After reading each slide, consider your next course of action, and list the steps you'd take. Then, move to the next slide.

Questions and Considerations for Cloud Providers

If your district is considering moving its data to a cloud provider, there are some basic questions to ask in order to determine if this host environment can safely and effectively store your sensitive data. Click the key words below to learn more.

HEISC Tool

The EDUCAUSE HEISC assessment tool was created to evaluate the maturity of higher education information security programs using as a framework the International Organization for Standardization (ISO) 27002:2013 "Information Technology Security Techniques. Code of Practice for Information Security Management."

This tool was intended for use by an institution as a whole, although a unit within an institution may also use it to help determine the maturity of its individual information security program. Unless otherwise noted, it should be completed by the chief information officer, chief information security officer or equivalent, or a designee. There are a total of 101 questions. On average it takes about 2 hours for an information security officer or equivalent familiar with their environment to complete this tool.

The self-assessment has been designed to be completed annually or at the frequency your institution feels is appropriate to track maturity. The assessment tool uses the ISO 21827:2008 framework for scoring maturing, which scales from 0 to 5, with 5 being the highest level of maturity:

District Tools: NDA Sample and Information Security Policy Template

Texas Cybersecurity Framework

There are 40 Cybersecurity attributes that DIR is tracking under SB1597, and the linked Information Security Plan Summary spreadsheet shows this tracking in a bar chart. The numbering has been randomized on purpose so feel free to share it.

For each Cybersecurity objective, update columns D through I with the agency's self-assessment as to percentage (in whole numbers) of the organization that meets the DIR standard for maturity.

Column K tabulates the entries' "points" and normalizes the 6 grade levels that reflect the maturity score for the Cybersecurity objective.

Column L converts the objectives' points to the CMMI scale.

Cybrary Information: Free Cybersecurity Training

You can improve your cybersecurity awareness through free educational resources.

Cybersecurity is quickly evolving. Keep your team a step ahead by developing their skills.

Frequently Asked Questions

Question:Is the security framework plan being discussed a TEA mandate?

Answer: No. The security framework plan and the tips and tools are recommendations to address cybersecurity issues being encountered by the education community and improve overall cybersecurity posture.

Question: Are the cybersecurity webinars being recorded and will they be available for future review?

Questions and Answers from the September 13th webinar: Cyber Security Tips and Tools—Incident Response, Being Prepared

Can you tell me the difference between internal FERPA versus external FERPA release?An educational agency or institution may disclose FERPA-protected information without parental consent to other school officials, including teachers, within the agency or institution if the agency or institution has determined the officials have a legitimate educational interest. A contractor, consultant, volunteer, or other party to whom the school district has outsourced institutional services or functions may be considered a school official provided the party performs a function for which the district would otherwise use employees and is under the direct control of the district in regard to the use and maintenance of education records. Neither FERPA nor its regulations define the required legitimate educational interest a school official must have to justify disclosure internally, but DOE has stated a school official generally has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility. The FERPA regulations provide if an educational agency or institution wishes to disclose education records without parental consent under the “school officials” exception, it must establish policies delineating which employees qualify as school officials and what constitutes a legitimate education interest.

Many Student Information Systems (SIS) have a place for shot records, medicine taken by a student, etc. If a SIS is used by a nurse to track this information is that data subject to HIPAA rules and in turn do the districts have to follow HIPAA rules?Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA. HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA.

How does HIPAA relate to this and to the district? Does it impact a breach in some way differently?HIPAA’s regulations state that records that are subject to FERPA are not subject to HIPAA. Student health records, including immunization records, maintained by an educational agency or institution, including records maintained by a school nurse, are education records subject to FERPA.

May I get a copy of the Incident Response Team Red Book?Yes, the Incident Response Team Red Book is available for download at https://www.texasgateway.org/node/153181 at the bottom of the page under Related Items, documents.

Will a copy of the PowerPoint presentation be made available for the attendees?Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Is there any additional coordination we need to do with our Education Service Centers?Anytime you are dealing with a potential exposure of sensitive identifying information, I recommend coordinating with your ESC. They can be a valuable resource and also alert other ESCs of a potential threat which might prevent additional similar exposures. Please do not hesitate to contact Frosty Walker at frosty.walker@tea.texas.gov or 512 463-5095 for assistance.

When will TEA stop requiring SSNs (except for the one time generating of TSDS numbers and then using TSDS number thereafter)?TEA works with other entities such as institutes of higher education and the Texas Work Commission which need the SSN to correlate information as students progress into higher education and into the workforce.

What is the best process to use when data is published to the web and is accessible through Google and while you can remove the source document, Google keeps the document available on the cache?You can notify Google but it will take days before its gone. Should you experience an exposure of sensitive information at a website which you do not control, you will need to work with the site ownership to remove the data. This may take time and the data may continue to be cached for several days. This is a situation in which law enforcement may be able to assist.

In a decentralized environment, which department should champion if not push Cybersecurity initiatives? We do not have a CISO.In most decentralized environments, the Information Technology department; however, that decision should be made by your leadership.

Will you please post the slide deck from this presentation? Yes, the slide deck is posted at: https://www.texasgateway.org/ in the Cybersecurity Tips and Tool section along with a recording of the presentation, Incident Response: Being Prepared, Session 4.

Texas Education Agency Correspondence on Cybersecurity

The following new Texas Education Agency Correspondence has been posted at the TEA website: